URL Passive Scan
What does this MR do?
This MR adds the ability to disable the DAST spider and scan only URLs specified in the DAST_URLS
environment variable.
Omissions
The focus for the MR is to get a working skeleton to scan by a list of URLs. This MR does not take into account:
- Passing CLI options to ZAP
- Dealing with when the URL list fails to be written to a file
I plan to add these in subsequent MRs
To run this code locally
cd
into the project and build DAST:
docker build -t dast .
Start a basic site:
invoke server.basicsite
Since we want a safe place for DAST to write it's log and reports to, create a new place to run DAST.
mkdir -p ~/dast_tmp/output
cd ~/dast_tmp
Run the scan which includes the env variable DAST_URLS
, which defines the URLs DAST should scan.
docker run \
--rm \
--network host \
-v "${PWD}":/output \
--env DAST_URLS=http://localhost:8010,http://localhost:8010/page2.html \
dast /analyze -d -t http://localhost:8010 >url_scan.log 2>&
Once DAST is complete you'll have the DAST json report gl-dast-report.json
(which includes vuleranbilites and the list of URLs scanned), the log url_scan.log
and the zap log zap.out
.
What are the relevant issue numbers?
Does this MR meet the acceptance criteria?
-
Changelog entry added -
Documentation created/updated for GitLab EE, if necessary -
Documentation created/updated for this project, if necessary -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Job definition updated, if necessary -
Job definition example -
Vendored CI Templates (also in CE)
-
-
Conforms to the code review guidelines -
Conforms to the Go guidelines -
Security reports checked/validated by reviewer
Edited by Craig Smith